Salsa20 Cryptanalysis: New Moves and Revisiting Old Styles

Transcription

1 Salsa0 Cryptanalysis: New Moves and Revisiting Old Styles Subhamoy Maitra 1, Goutam Paul 1, Willi Meier 1 Indian Statistical Institute, Kolkata, India {subho,goutam.paul}@isical.ac.in FHNW, Windisch, Switzerland willi.meier@fhnw.ch Abstract. In this paper, we revisit some existing techniques in Salsa0 cryptanalysis, and provide some new ideas as well. As a new result, we explain how a valid initial state can be obtained from a Salsa0 state after one round. This helps in studying the non-randomness of Salsa0 after 5 rounds. In particular, it can be seen that the 5-round bias reported by Fischer et al. (Indocrypt 006) is a special case of our analysis. Towards improving the existing results, we revisit the idea of Probabilistic Neutral Bit (PNB) and how a proper choice of certain parameters reduce the complexity of the existing attacks. For cryptanalysis against 8-round Salsa0, we could achieve the key search complexity of 47. compared to 51 (FSE 008) and 50 (ICISC 01). Keywords: Stream Cipher, Salsa0, Salsa0/1, Non-Randomness, Round Reversal, Probabilistic Neutral Bit (PNB), ARX Cipher. 1 Introduction Salsa0 [] was designed by Bernstein in 005 as a candidate for estream [9] and Salsa0/1 has been accepted in the estream software portfolio. It has generated serious attention in the domain of cryptanalysis and quite a few results have been published in this direction [3, 4, 8, 1, 5, 7, 6] that show weaknesses of this cipher in reduced rounds. The main ideas in all these papers are circled around the following two issues. Put some input difference at the initial state and then try to obtain certain bias in some output differential. Once you can move forward a few rounds with the above strategy, try to come back a few rounds from a final state after a certain rounds obtaining further non-randomness. Combining the above ideas, one may find some non-randomness in Salsa0 for forward plus backward many rounds. The first result on Salsa0 cryptanalysis by [3] used this idea to move forward 3 rounds from the initial state and to come back rounds from the final state for an attack on 5-round Salsa0. Later in [1], biased differentials till 4 forward rounds have been exploited and then the attack considered moving backwards from the final state for 4 rounds to obtain an 8-round attack on Salsa0. Before proceeding further, let us briefly explain the structure of Salsa0 stream cipher. This cipher considers 16 words, each 3-bit. We may refer to this as the Salsa state and a state can be written in 4 4 matrix format as follows: x 0 x 1 x x 3 c 0 k 0 k 1 k X = x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 = k 3 c 1 v 0 v 1 t 0 t 1 c k 4. x 1 x 13 x 14 x 15 k 5 k 6 k 7 c 3 The rightmost matrix shows the initial state, that takes four predefined constants c 0,..., c 3, 1 56-bit key k 0,..., k 7, 64-bit nonce v 0, v 1 and 64-bit counter t 0, t 1. Since this is with 56-bit keys, we can refer it as 56-bit Salsa. Similarly, one can use the same cipher with 18-bit key, where k i = k i+4, for 0 i 3 and the constants are c 0,..., c 3. One may note the little differences in c 1, c for the 18-bit and 56-bit 1 c 0 = 0x , c 1 = 0x330646e, c = 0x796d3, c 3 = 0x6b c 0 = 0x , c 1 = 0x310646e, c = 0x796d36, c 3 = 0x6b06574.

2 version. In this paper, we are considering 56-bit key throughout. However, studying similar techniques for 18-bit key will also be interesting. The basic nonlinear operation of Salsa0 is the quarterround function. Each quarterround(a, b, c, d) consists of four ARX rounds, each of which comprises of one addition (A), one cyclic left rotation (R) and one XOR (X) operation as given below. b = b ((a + d) 7), c = c ((b + a) 9), d = d ((c + b) 13), a = a ((d + c) 18). Each columnround works as four quarterrounds on each of the four columns of the state matrix and each rowround works as four quarterrounds on each of the four rows of the state matrix. In Salsa0 (one can call it Salsa0/0), ten times the columnround and ten times the rowround are applied alternatively on the initial state. One may note that this can be considered as application of the columnround and transpose of the state matrix [6] twenty times. This helps in understanding the cipher better as in this case every round of Salsa0 becomes identical. To be precise, in each round, we first apply quarterround on all the four columns in the following order: quarterround(x 0, x 4, x 8, x 1 ), quarterround(x 5, x 9, x 13, x 1 ), quarterround(x 10, x 14, x, x 6 ), and quarterround(x 15, x 3, x 7, x 11 ), and then a transpose(x) as follows. x 0 x 1 x x 3 x 0 x 4 x 8 x 1 X = x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 XT = x 1 x 5 x 9 x 13 x x 6 x 10 x 14. x 1 x 13 x 14 x 15 x 3 x 7 x 11 x 15 By X (r), we mean that r such rounds have been applied on the initial state X. Hence X (0) is the same as the initial state X. Finally, after R rounds we have X (R). Then a keystream block of 16 words or 51 bits is obtained as Z = X + X (R). For Salsa0, R = 0. However, the one accepted in estream [9] software portfolio is Salsa0/1, where R = 1. Naturally, more rounds will provide better security and less rounds will provide higher speed. One may note that each Salsa0 round is reversible as the state-transition operations are reversible. In other words, if X (r+1) = round(x (r) ), then X (r) = reverseround(x (r+1) ), where reverseround is the inverse of round and consists of first transposing the state and then applying the inverse of quarterround for each column as follows. a = a ((d + c) 18), d = d ((c + b) 13), () c = c ((b + a) 9), b = b ((a + d) 7). Consider that one obtains a state X (1) after one round of Salsa0. Now to know whether it is a valid state after one round, one needs to come back by one reverse round and then check whether the constants in the diagonal elements are indeed the specified ones. This is the constraint for 56-bit Salsa0. However, for 18-bit Salsa0, one needs to have another constraint related to the key words apart from matching the constants. That is, we need to have k i = k i+4, for 0 i 3. Let us now present a few more notations. We have already denoted x i as the i-th word of the matrix X. By x i,j, we mean the j-th bit (0-th bit is the least significant bit) of x i. Given two states X (r), X (r), we denote (r) i = x (r) i x (r) i. By (r) i,j = x(r) i,j x (r) i,j (1), we mean the difference between two states at the j-th bit of the i-th word after r many rounds. That is, (0) 7,31 = 1 means that we have two initial states X (0), X (0) that differ at the 31-st (most significant) bit of the 7-th word (a nonce word) and they are same at all the other bits of the complete state. In such a case, one can obtain significant biases after 4 rounds. That is, in general, we are interested to input a difference at the initial state (call it Input Differential or ID) and then try to obtain some bias corresponding to combinations of some output bits (call it Output Differential or OD). Most naturally, one can compute Pr( (r) p,q = 1 (0) i,j = 1) = 1 (1 + ɛ d),

3 where the probability is estimated for a fixed key and all the possible choices of nonce and counter words v 0, v 1 and t 0, t 1 respectively, other than the constraints imposed due to the input differences on keys or nonces/counters 3. The term ɛ d is a measure of the amount of the bias away from the probability of a random event and is naturally referred as the bias in the literature. Now we present the advantage of coming back one round. Consider that one likes to put some input differences in a state to obtain some output differential after a few rounds. Let X (1), X (1) be the two initial states that differ in a few places and we obtain some bias Pr( (r) p,q = 1 (1) i,j = 1) = 1 (1 + ɛ d). That is, actually we consider (r 1) rounds here. If it is possible to get back one round each from X (1), X (1) such that X (0), X (0) are valid initial states with differentials (0) i 1,j 1, (0) i,j,... etc, then we can consider the situation Pr( (r) p,q = 1 (0) i 1,j 1 = 1, (0) i,j = 1,...) = 1 (1 + ɛ d). That is, we can exploit the bias as if it is after r rounds. This helps in analysing Salsa0 by one additional round. Outline & Contribution In Section, we provide experimental details of biases for single bit ID and single bit OD after 4 rounds. These biases might have been studied in existing works, but we did not obtain any comprehensive list in published literature. In fact, in this process, we obtain some biases which are more significant than the published ones. We use some of these biases in the later sections. In Section 3, we explain how one can come back to a valid initial state from a Salsa0 state after one round. This helps in interpreting many four round biases as five round ones and provides a generalized framework for the 5-round biased differential pointed out in [4]. In Section 4, we revisit the cryptanalysis of Salsa0/8 as described in [1]. Interestingly, we note that with experiments the median of certain biases are 4 times more than what observed in [1]. Further, we look at the trade-off between carefully choosing more PNBs at the cost of accepting less probability for distinguishing the correct key from the wrong keys. In the process, we show that the same 36 PNBs as considered in [1] as well as more ( = 41) PNBs can be exploited to obtain a key recovery attack with key search complexity of 47.. The earlier results in this direction were 51 [1] and 50 [7]. Biases after 4 rounds and some interesting patterns We experimented with all combinations of single bit ID with single bit OD after four rounds. It is natural to ask why one should consider ID in all the input bits. We study all these as we will later consider the IDs as if they appear after one round and then we will try to come back one round in reverse direction. During the experimentation, we decided that we will consider probabilities which are at least 10 away from the random probability 1. That is we consider the cases where the probabilities are either less than 1 (1 1 ) = or more than 1 10 (1 + 1 ) = We note that working with 5 samples for 10 each case is enough to study such biases from the basic idea of distinguishers (see [1] and the references therein). In [1], the strongest bias reported after four rounds was Pr( (4) 1,14 = 1 (0) 7,31 = 1) = 1 ( ), that has been used for the cryptanalysis of Salsa0/8. In addition to all the known biases including the above, we observed quite a few stronger biases than the ones in [1], for example, Pr( (4) 11,17 = 1 0 8,31 = 1) = 1 ( ), Pr( (4) 6,6 = 1 (0) 7,31 = 1) = 1 ( ), Pr( (4) 11,6 = 1 0 8,31 = 1) = 1 ( ) etc. From the experimental data, we find a few interesting observations. With an ID 0 1,j or 0 6,j or 0 11,j or 0 1,j, the maximum negative bias after 4 rounds occurs in the OD s 4 1,(j+) or 4 1,(j+) or 4 6,(j+) or 4 11,(j+) respectively4. That is, the word positions in the ID and OD forms a cycle , where w u implies that an ID 0 w,j causes the maximum negative bias in the OD 0 u,j+. In the next section, we would see that these are precisely the word positions that help us 3 Since most of the biases in literature are obtained through experimentation, these biases are estimated over a large number of experiments. 4 The + in (j + ) denotes addition modulo 3 here.

4 to reduce a search of biased differentials after 5 rounds to a search of those after 4 rounds through one round reversal. A detailed study of multiple bit IDs and multiple bit ODs are also interesting and a few very high biases have been reported in [1, 7]. However, those biases could not be exploited efficiently to obtain better cryptanalytic results yet. The complete details of all the biases will be available in the full version of this paper. 3 Reversing one round of Salsa0 There are several state of the art works that studied biases in Salsa0. The most significant biases, by considering some output differential given some input difference, could be obtained after 3, 4 and 5 rounds [3, 4, 8, 1, 5, 7, 6] and these biases have been exploited suitably to obtain several cryptanalytic and non-randomness results in Salsa0 till 8 rounds. One of the most significant biases after 5 rounds has been reported in [4, Section 3.3]. They considered the differentials (0) = 0x , (0) 6 = 0x , (0) 14 = 0x This shows an output bias after 5 rounds as follows: Pr( (5) 6,1 = 1 (0) = 0x , (0) 6 = 0x , (0) 14 = 0x ) 1 ( ). (3) Note that this probability is less than 1 1 and thus, the negative bias in absolute terms is more than 1 1. The experimental data we present here is after 30 runs which is enough to assess these biases with 11 high confidence. However, one observation here is very interesting, which shows that after one round, in certain cases, this generates a differential in only one bit, namely, (1) 11 = 0x At the same time, there are many cases where there exist other differentials in addition to (1) 11 = 0x This provides the main motivation of our study. We note that if one can start with some differentials such that after one round the differential is only at a single bit, then we will have sharper bias. We look at the problem from another direction. Consider the input difference (1) 11 = 0x In this case, Pr( (5) 6,1 = 1 (1) 11 = 0x ) 1 ( ), (4) which is a much sharper bias. At the same time, one may note that if one comes back by reversing one round, this keeps both the states valid and the differentials are such that (0) = 0x , (0) 6 = 0x , (0) 14 = 0x8??80000). We will get into detailed proof later and also the characterization of? positions, but if one starts with such differentials, then we obtain a bias much sharper than what described in [4, Section 3.3]. In fact, noting the pattern by going back in reverse direction by one round, with this idea we could immediately improve the bias mentioned in (3) from [4] as Pr( (5) 6,1 = 1 (0) = 0x , (0) 6 = 0x , (0) 14 = 0x ) 1 ( ). (5) We have included one additional bit of differential in the word 14 to obtain a better bias over [4]. Before proceeding further let us describe the differential patterns. Given two states X (r), X (r), we represent the differential state matrix as (r) = (r) 0 (r) 1 (r) (r) 3 (r) 4 (r) 5 (r) 6 (r) 7 (r) 8 (r) 9 (r) 10 (r) 11 (r) 1 (r) 13 (r) 14 (r) 15,

5 where (r) i = x (r) i x (r) i. As described in [4], we actually have the following scenario from the initial state to the state after application of one forward round x x x???????? 0x???????? 0x???????? 0x x Had one managed the unknown places to zero in the differential pattern after one round, the bias described in [4] would have been much sharper. In this direction, we look at this by reversing one round x x x x??? Thus one important question is to characterize the bits in the 14-th word. Next, we present the main theoretical result in this direction. Theorem 1. Let X (0) be an arbitrary valid initial state. Suppose, after the first round, we modify X (1) = round(x (0) ) to X (1) with the differential (1) 11,31. Then reverseround(x (1) ) yields a valid initial state X (0) with the differential 0 0 0x (0) = 0 0 0x x??? Proof. The first step in reverseround(x (1) ) is transpose(x (1) ), which changes the differential (1) 11,31 to the differential (1) 14,31. In the next step, reverse of quarterround would be applied to each column independently. Since position 14 appears in the 3rd column, let us focus on the effect of the inverse of quarterround on this column. All other columns would have 0 differentials after the inverse. From Equations (), we can write the relevant equations as follows. x (0) 10 = x(1) 10 ((x(1) + x (1) x (0) 6 = x (1) 6 ((x (1) 14 + x(1) 6 ) 18), ) 13), x (0) = x (1) ((x (0) 10 + x(1) 14 ) 9), x (0) 14 = x(1) 14 ((x(0) 6 + x (0) 10 ) 7). The same equations hold for x as well. Now, let us analyze the differentials. In the first equation, all the words of x (1) and x (1) are identical. Hence, (0) 10 = 0. This proves that the state X (0) is a valid initial state. In the second equation, x (1) and x (1) differ only in the MSB of the word 14, which causes a differential only in the MSB of the sum. After 13-bit left rotation, this differential moves to the bit position 1 of the term to the right of. Hence, (0) 6 = 0x In the third equation, again x (1) and x (1) differ only in the 31st bit of the word 14, which causes a differential only in the 31st bit of the sum. After 9-bit left rotation, this differential moves to the bit position 8 of the term to the right of. Hence, (0) = 0x In the fourth equation, the sum will have a differential in the bit position 1 due to (0) 6,1 = 1. There may be differentials to the left of the bit position 1, due to carry propagation. After 7-bit left rotation, the differential in the bit position 1 moves to the bit position 19 of the term to the right of. Hence, = 0x??? (0) 14 The value of??? in (0) 14 depends on x(0) 6, which is nothing but the nonce v 0. Again, both v 0 = x (0) 6 and v 0 = x (0) 6 (that differ in bit position 1 only) is added to the same constant c = x (0) 10 = x (0) 10 = 0x796d36, which has 3 consecutive 0s in the bit positions 14, 15, 16 and again in the bit positions 18, (6)

6 19, 0 (these positions move to the left by 7 positions after the rotations). So in most cases, the effect of the carry is absorbed before it reaches from position 19 (i.e., 1 rotated by 7 positions) to position 31. Thus, the most frequent value of (0) 14 is observed to be 0x8?? Though there are multiple possible values of (0) 14 for (1) 11 = 0x , the value of (0) 14 is uniquely determined for a given nonce. We can explicitly write (0) 14 = 0x [(c + v 0 ) 7] [(c + (v 0 0x )) 7]. (7) With all these constraints on the initial state, one can obtain the bias as described in (4). Let us discuss another example here. We consider the ID at the 31st bit of the 6th word and the OD at the 1st bit of the 1st word. By Theorem, once (1) 6,31 is applied to a valid state after one round, the resulting state when reversed, yields another valid initial state. Similar to Theorem 1, one can show that the differential matrix goes through the following transition. 0 0x x??? x x Similar to Equation (7), the value of (0) 9 is uniquely determined for a given key as follows (0) 9 = 0x [(c 1 + k 0 ) 7] [(c 1 + (k 0 0x )) 7]. Let S d be the set of such valid input differences. We then map four-round biases with the ID-OD pair ( (0) 6,31, (4) 1,1 ) to five-round biases with the ID-OD pair ( (0), (5) 1,1 ), where (0) S d. In this case, 1 (1 + ɛ d) = and so ɛ d = If we introduce an arbitrary differential after one round to convert X (1) to X (1), then reversing X (1) does not always yield a valid initial state. In the next result, that is a generalization of Theorem 1, we study the positions of those differentials and surprisingly, the word positions where the differentials are considered, coincide with the interesting cycle-forming positions discussed in Section. Theorem. Let X (0) be an arbitrary valid initial state. Suppose, after the first round, we complement any combination of the 18 bits of the words x 1, x 6, x 11 and x 1 of X (1) to obtain X (1). Then X (0) = reverseround(x (1) ) is always a valid initial state. Proof. The first step in reverseround(x (1) ) is transpose(x (1) ), which changes the word positions 1, 6, 11 and 1 to 4, 9, 14 and 3 respectively. In the next step, reverse of quarterround would be applied to each column independently. Thus, the differentials in word positions 4, 9, 14 and 3 affect only the first, second, third and the fourth columns respectively. Due to symmetry, the reverse equations for any column would be similar to the system of equations (6) (the equations for the 3rd column). Note that in every column, the diagonal element is reversed first using two word positions excluding the positions 4, 9, 14, 3 (respectively for the 1st, nd, 3rd and 4th columns). Thus, in X (0) = reverseround(x (1) ), the diagonal elements have zero differentials with those of X (0) ensuring that X (0) is a valid initial state. This idea helps us in translating the biases after 4 rounds to that of 5 rounds by reversing one round. One should also note that the reversal of one round is independent of the exactly chosen values of the constants c 0, c 1, c, c 3 in Salsa0. One interesting question is: if one introduces some differential in any bit combinations other than those of the words x 1, x 6, x 11 and x 1 of X (1), would reversing one round lead to an invalid initial state? The answer is not necessarily. It depends on the key/nonce/counter values. For example, one may introduce (1) 8 = 0x and (1) 9 = 0x together to X (1) to generate X (1). During reversal, the transpose operation shifts the positions of these differentials to the word positions and 6 respectively. Now one may look at the first equation in the system of equations (6). Since the two words that are added have

7 differentials in the MSBs, the sum would have zero differential. Thus, (0) 10 would become 0, implying that X (0) is a valid initial state. The structure of the differential states are as follows x x x x x??? It would be an interesting combinatorial problem to characterize all such states. 4 Revisiting PNBs and improved cryptanalysis of Salsa 0/8 The cryptanalysis on Salsa0 that we discuss now is a known plain text only attack. The 51-bit key stream of Salsa0/R is X + X (R). In the known plain text model X + X (R) is completely available to the attacker. However, the 56 key bits are not available, thus only rest 56 bits of X are known. The motivation is to guess the 56 key bits of Salsa0/R with a key search complexity less than 56, the complexity for exhaustive search. The concept of Probabilistic Neutral Bits (PNBs) was exploited against Salsa0 in [1] in this framework. Before describing our parameters for an improved attack complexity, we first provide a brief and simple description of the generic attack using PNBs on Salsa0/R. For detailed understanding and formal definitions in this area, one may refer to [1, Section 3]. Suppose X, X are two valid initial states with a given ID (0) i,j bias ɛ d in an OD (r) p,q after r < R Salsa rounds. Thus, Pr( (r) p,q = 1 (0) i,j = 1, for which we observe a high = 1) = 1 (1 + ɛ d), where (r) = X (r) X (r). The two keystream blocks after R rounds are given by Z = X + X (R) and Z = X + X (R). Suppose, in both X and X, we complement a particular key bit position k to yield the states X and X respectively. Next, we reverse the states Z X and Z X by R r rounds to yield the states Y and Y respectively. Let Γ p,q = Y p,q Y p,q. If the bias in the event ( (r) p,q Γ p,q = 0 (0) i,j = 1) is high5, then we call the key bit k a probabilistic neutral bit (PNB). If Pr( (r) p,q Γ p,q = 0 (0) i,j = 1) = 1 (1 + γ k), then γ k is called the neutrality measure of the key bit. One should run this experiment for each key bit several times over randomly chosen nonces and counters 6. By repeating this for all the 56 key bits, a subset of the key bits is identified, which are called the PNBs. Typically, a threshold probability 1 (1 + γ) is chosen to filter the PNBs. In other words, if γ k γ, then the key bit k is included in the set of the PNBs. Suppose the size of this subset is n and therefore the number of non-pnb bits are m = 56 n. The main idea behind the key recovery is to search these two sets separately. After the set of PNBs is determined, the actual attack considers search over the key bits which are not PNBs and by considering a distinguisher it is possible when the correct keys can be identified. The attack algorithm is clearly described in [1]. However, for practical simulations, it is not possible to complete this attack as the complexity is very high. Nevertheless, we need to obtain certain biases properly to estimate the complexity of the attack and that can be achieved by trying out the following. While studying the PNBs, in X and X, we complemented a particular key bit position k to yield the states X and X respectively. However, in this case, we assign random values to all the PNBs and keep the correct values of the keys in other places. That is, we assign correct key values to the m non-pnb key bits and assign random binary values to the n PNB key bits in both X and X to yield the states ˆX and ˆX respectively. Then we reverse the states Z ˆX and Z ˆX by R r rounds to yield the states (1 + ˆɛ). A higher value of ˆɛ means that the PNBs have been chosen properly and even without knowing the n PNBs it is possible to identify the rest of the key bits which are not PNBs. Next, we assign random binary values to all the 56 key bits in both X and X to yield the states X and X respectively. Then we reverse the states Z X and Z X by R r rounds to yield the states Ŷ and Ŷ respectively. Let ˆΓ p,q = Ŷp,q Ŷ p,q and Pr( ˆΓ p,q = 1 (0) i,j = 1) = 1 Ỹ and Ỹ respectively. Let Γ p,q = Ỹp,q Ỹ p,q and Pr( Γ p,q = 1 (0) i,j = 1) = 1 (1 + ɛ). 5 That is, (r) p,q = Γ p,q with high probability, given the ID. 6 We experiment this for 4 samples corresponding to each key bit, which is sufficient to identify the biases.

8 In actual key recovery attack, if the biases ˆɛ and ɛ can be efficiently distinguished, i.e., if the gap between the biases is significant with ɛ 0 (as it corresponds to a random event and should not have any bias), then we can conclude that the assignment ˆX yields the correct values for the non-pnb bits. This is what that needs to be experimented while choosing the set of PNBs. This also provides the estimate of ˆɛ that will be involved in the obtaining the complexity. To follow the same notation as in [1], we denote ɛ = ˆɛ in following discussion. In [1], the bias in the event ( ˆΓ p,q = (r) p,q) is denoted by ɛ a. In [1], the estimation of this bias is as follows. The key is fixed and one can vary the nonces and the counters to calculate one ɛ a. Then we consider many randomly chosen keys to obtain a set of ɛ a s and finally compute the median ɛ a s from this set. Similarly, the median ɛ d is estimated from the values of several ɛ d s corresponding to different keys. Finally one can estimate ɛ as the median value of ɛ s. The idea of using median is that, one can guarantee that the estimated probabilities will work for at least half of the keys. We will also use the same measure for our experiments. It was commented in [1] that one can approximate ɛ as ɛ d ɛ a. However, for our experiments, we calculate all the values ɛ, ɛ d and ɛ a separately. We have also checked that the approximation ɛ ɛ d ɛ a is not satisfied very closely and we will present experimental evidence related to it in the next section. Following [1], if the number of samples used is N and if the probability of false alarm is P fa = α, the complexity of the attack is then given by where the required number of samples is m (N + n P fa ) = m N + 56 α, (8) ( α ) log (ɛ ) N ɛ (9) for probability of non-detection P nd = Revisiting the complexity of attack in [1] In [1], for R = 8, for the forward rounds, r = 4 and the ID-OD pair had been ( (0) 7,31, (4) 1,14 ). In this case, 1 (1 + ɛ d ) = , i.e., ɛ d = Taking γ = 0.1, n = 36 PNBs have been reported in [1] (see Table 1 for exact key bits) and they estimated ɛ = as the median bias over all keys. In this case, m = = 0. The authors of [1] used the following result for estimating the complexity. Taking α = 8, one obtains N and thus, the total complexity becomes 0 ( ), which is approximately 51 [1]. In [7], this complexity has been improved by additionally considering two-step Column Chaining Distinguishers (CCD) that provides the reduced complexity of 50. However, we have got much improved results than [1] with our experiments. Note that the exact experimental figures related to the number of samples are not available in the paper [1]. We have checked with total 36 samples as follows. We take 10 randomly chosen keys and for each of them we take 6 randomly chosen counters and nonces. For each of these keys, we take the average data ɛ and then we consider the median of those ɛ s which comes to be ɛ = Surprisingly, we obtain 4 times more median bias than what observed in [1] for both ɛ a and ɛ. With this estimate, keeping all the other parameters same, the complexity of [1] can be revised as follows. In this case, we obtain N 6.73 and thus, the total complexity becomes 0 ( ) We can then reduce the complexity further by playing around with α. The key idea is that the larger of the terms m N and 56 α dominates the complexity expression in Equation (8). We can take α = 1.8 and in that case we obtain the complexity as 0 ( ) 0 7. = 47.. Note that during this optimization process, we have kept P nd fixed at , same as in [1]. Regarding the assumption ɛ ɛ a ɛ d in [1], we have considered the average µ ɛ of 104 samples of ɛ ɛ a ɛ d and the value of µɛ ɛ comes out to be = The approximation is not close as 0.16 is significantly away from zero.

9 4. Adding more PNBs For our study, we look at the PNBs more carefully. We use the same ID-OD pair to be ( (0) 7,31, (4) 1,14 ). Lowering γ, one can find many more PNBs. However, not all of them may be good candidates as the bias ɛ gets reduced too. Taking γ = (but we do not consider all the key bits having γ k γ and only consider them selectively; we describe this in detail little later), and 4 samples for each key bit, we found the optimized list of PNBs to include 5 additional key bits as in Table (a), other than the 36 key bits mentioned in [1]. Thus, in our analysis, n = 41 and m = = 15. After the PNBs are identified, we used 43 samples. These are 7 different keys and for each key we take an average of 36 randomly chosen counters and nonces. Note that in this case we need more samples than as in Section 4.1. This is because in this case the biases are much less. Our experiment shows that the median ɛ = For α = 1.8, we obtain the complexity as 15 ( ) = 47.. This is similar to the complexity obtained in Section Exact choices of the PNBs Now let us consider the exact details of choosing the PNBs. If one considers γ = 0.1 as in [1], the one obtains the 36 PNBs and the corresponding γ k s as in Table 1. The number of the key bit k and the corresponding γ k are presented one below the other in each cell of tables Table 1. Key-bits and the corresponding biases γ k 0.1 for the 36 PNBs of the 8-round attack [1]. We consider lower γ = and the additional key bits with γ k γ = (other than those in Table 1) are presented in Table (a) (these we include as PNBs) and Table (b) (these we do not include as PNBs). Note that the PNBs 108 and 6 have quite high values of γ and thus including those are quite logical. On the other hand, the PNBs 73, 178 and 48 have quite low values of γ. What we consider in these three cases is that they follow a good sequence of PNBs with high values of γ, for example 71, 7, 73, then 165,..., 177, 178 and 4,..., 47, 48. The choices of including (or not including) the key bits in the PNB set is done by detailed experimental investigation and obtaining a theoretical reasoning of this will be very interesting (could be elusive too) (a) (b) Table. (a) Biases γ k γ k for our additional 5 PNBs. (b) Key bits not in the set of PNBs in spite of In [1], the authors indeed commented that we note that the described complexities may be improved by choosing a smaller γ. However, this requires quite some amount of human intervention using trial and

10 error. It seems quite hard to obtain any improvement using automatized search given some parameter values as mentioned in [1, Section 3.5]. Further we have studied the experimental biases carefully and for ɛ a, ɛ the biases are found to be much more significant (four times) than what reported in [1], though we obtain the similar result for ɛ d. It will be interesting to have further experiments with the other 4-round biases (as described in Section, and also for more than one bit ID and OD scenarios) and the corresponding PNBs. However, we have made quite a good amount of investigations by trial and error and it will be challenging to obtain improved results in this direction. 5 Conclusion In this paper we have studied the Salsa0 stream cipher in detail. While most of the existing analysis on Salsa0 are from experimental efforts, in this paper we try to exploit some theoretical structures too. First we experimentally study the biases for single bit ID, single bit OD for Salsa0/4. Next we present a theoretical effort to understand how two Salsa0 states with certain differentials after one round can be reversed to valid initial states. This helps us to translate some 4-round biases of Salsa0 to 5-round biases. Our idea clarifies and generalizes an example of 5-round bias in [4]. Further we concentrate on PNBs as explained in [1]. We experimentally study how one can increase the number of PNBs with limited reduction in biases. Interesting we note that one can properly choose parameters so that results of [1, 7] can be improved. We show that Salsa0/8 can be cryptanalysed with a key search complexity of 47.. Using our idea of biases after 5 rounds and coming back 4 rounds from the 9th round, one can exploit similar ideas of PNBs as in Section 4 for obtaining non-randomness in related-key scenario of Salsa0/9. However, we could only obtain a complexity slightly less than the exhaustive search and one may need to explore it further towards significant results. Finally, it should be mentioned that our works, as well as all the existing results in Salsa0 cryptanalysis, are on reduced rounds and they do not pose any security threat against Salsa0/1, which is in the estream software portfolio. References 1. J. -P. Aumasson, S. Fischer, S. Khazaei, W. Meier, and C. Rechberger. New Features of Latin Dances: Analysis of Salsa, ChaCha, and Rumba. FSE 008, LNCS 5086, pp , Springer.. D. J. Bernstein. Snuffle 005: the Salsa0 encryption function 3. P. Crowley. Truncated differential cryptanalysis of five rounds of Salsa0. SASC ciphergoth.org/crypto/salsa0/ 4. S. Fischer, W. Meier, C. Berbain, J. -F. Biasse, M. J. B. Robshaw. Non-randomness in estream candidates Salsa0 and TSC-4. INDOCRYPT 006. LNCS 439, pp. -16, Springer. 5. T. Ishiguro, S. Kiyomoto, and Y. Miyake. Latin Dances Revisited: New Analytic Results of Salsa0 and ChaCha. ICICS 011, LNCS 7043, pp , Springer. See corrections in 6. N. Mouha and B. Preneel. Towards Finding Optimal Differential Characteristics for ARX: Application to Salsa0. Cryptology eprint Archive: Report 013/38, 7. Z. Shi, B. Zhang, D. Feng and W. Wu. Improved Key Recovery Attacks on Reduced-Round Salsa0 and ChaCha. ICISC 01, LNCS 7839, pp , Springer. 8. Y. Tsunoo, T. Saito, H. Kubo, T. Suzaki, and Hiroki Nakashima. Differential Cryptanalysis of Salsa0/8. SASC The ECRYPT Stream Cipher Project. estream Portfolio of Stream Ciphers. stream/